1. Field of the Invention
The present invention relates to a server apparatus, a method, and a computer program product that can prevent denial-of-service attacks caused by transmitting a response packet that is amplified by a packet in which a query source is personated.
2. Description of the Related Art
Domain name system (DNS), one of backbone functions for the Internet, is a client-server database system for providing services based on data associated host names with internet protocol (IP) addresses. A DNS client transmits a query packet containing a specific domain name (such as a host name) to a server, and the server processes the query packet and transmit back to the client a response packet containing data corresponding to the query (a resource record or simply called a record).
The server generally returns the response packet without authenticating the client. It means that the server equally responds to any client. Especially, an authoritative server, as a general rule, has to respond to all of the queries transmitted from clients.
Denial-of-service (DoS) attacks that exploit the authoritative server have become in the focus, recently. In the DoS attacks, an attacker node transmits a query packet with a spoofed source address pretending as a victim node to a server. The attacker uses a domain name or a resource record that causes the server to create a response packet with a data size much larger than that of the query packet. A data size of a usual DNS response packet is larger than that of the query packet corresponding to itself. A data size of a response message using extension mechanisms for DNS (EDNSO) or DNS security extensions (DNSSEC) may become ten times as large as that of the query packet corresponding to itself.
The server transmits the response packet to the source address of the query packet. Because the source address is spoofed, the response packet is transmitted to the victim node. As a data size of a response packet is larger than that of the query packet corresponding to itself, the attacker node can cause a severe damage with a relatively small band. For example, if the data size of the response packet becomes ten times as large as that of the query packet corresponding to itself and a network band of 10 Mbps (megabits per second) is used, a caused damage is equivalent to that in case of using 100 Mbps.
To prevent the DoS attacks, various techniques have been proposed. For example, in a technique described in an article entitled, “Preventing Use of Recursive Nameservers in Reflector Attacks”, by J. Damas et. al, retrieved from the Internet: <URL: http://www.ietf.org/internet-drafts/draft-ietf-dnsop-reflectors-are-evil-02.text>, an address-based query filter is used to prevent the query with a spoofed source address. According to the technique disclosed in “Preventing Use of Recursive Nameservers in Reflector Attacks”, the address-based query filter enables the server to limit queries received from qualified clients with predetermined addresses (generally, from nodes of an organization to which the server belong). It means that the nodes on the network having a possibility to be attacked are restricted. However, the authoritative server, which has to respond every queries regardless of which client is transmitted the query, can not employ the technique.
Another article entitled, “Domain Name System (DNS) Cookies”, by Donald E. Eastlake 3-rd, retrieved from the Internet: <URL: http://www.ietf.org/internet-drafts/eastlake-dnsext-cookies-00.txt>, discloses a technique for extending DNS protocols and transferring cookies between the server and the clients, which make it possible to prevent from unconditionally responding to the query with a spoofed source address.
However, although the technique disclosed in “Domain Name System (DNS) Cookies” can be employed by the authoritative server, it is necessary for the clients to support the system used in the technique. It means that the system does not effectively work until all of the existing clients on the Internet support the system used in the technique.